The Health Data Conundrum

By Kathryn Haun and Eric J. Topol

Jan. 2, 2017

THERE’S quite a paradox when it comes to our health data. Most of us still cannot readily look at it, but there’s been an epidemic of cybercriminals and thieves hacking and stealing this most personal information.

Why is our private health information being stolen and trafficked by cybercriminals? For one, these records include information that makes them more valuable to hackers than almost any other type of data. Thieves can use this information to order medical equipment and drugs to resell and to fraudulently bill insurance companies, the costs of which are passed along to consumers.

Image

CreditAaron P. Bernstein/Getty Images

Second, while our personal medical data is so precious and valuable to us, it’s an exceptionally easy target for criminals. The health care industry’s focus has been on patient care rather than cybersecurity, and federal regulations intended to protect financial data do not apply to health care records. It is common for millions of patients’ health records to be stored together in huge central databases that, once breached, yield a trove of information.

It has become increasingly difficult to combat this problem using traditional methods of enforcement and deterrence. Even assuming the wrongdoers are identified, there are often jurisdictional hurdles because the thieves aren’t in the United States or in countries that will easily extradite them. Moreover, companies that are hacked are restrained in their desire for the criminals to be prosecuted because that means their own embarrassing breach will be in the news that much longer. In April 2014, the F.B.I. issued an alert that these sorts of attacks would only increase as providers moved from paper to electronic records.

A recent theft involving Anthem is a perfect illustration. Tens of millions of patient records were compromised, all were stored in a centralized database, none were encrypted, and no one has been caught. Anthem’s response was to send out letters to victims offering free credit monitoring. But credit monitoring isn’t an antidote for a breach of medical records. What good does a form letter do for someone whose most private data has just been stolen?

What’s the solution? For starters, disaggregation, meaning that medical data should be stored in individual or family units rather than in centralized databases. Such a regime would return the data to the person who should own it in the first place: the patient. Each individual or family would have medical data in a personal cloud or a digital wallet. Patients could then share their data how they choose: with family members, with researchers, with other doctors for a second opinion.

We cannot leave it to the health record software companies — the Cerners, Epics and Allscripts of the world — to bring about the needed changes. Their business is to sell proprietary information software to health systems to create large centralized databases for such things as insurance reimbursements and patient care. Their success has relied on an old, paternalistic model in medicine in which the data is generated and owned by doctors and hospitals.

Yes, giving consumers control of their own medical data would revolutionize who owns medical data and how it is used. Concerns about researchers losing access to this amassed data are overstated. Patients have shown an overwhelming willingness to share their information for altruistic reasons (which far exceeds the track record of doctors and health systems when it comes to sharing data).

The private and academic sectors are hard at work on a technology solution: one that is tamper-proof, ensures confidentiality and makes sharing medical data easy. One approach, known as a blockchain, is an encrypted data platform that would give patients digital wallets containing all their medical data, continually updated, that they can share at will.

We need to move on from the days of health systems storing and owning all our health data. Patients should be the owners of their own medical data. It’s an entitlement and civil right that should be recognized.

Kathryn Haun is a federal prosecutor who teaches a course on cybercrime at Stanford Law School. Her views are her own. Eric J. Topol, a professor at the Scripps Research Institute, is the author of “The Patient Will See You Now.”